As you may know the latest versions of the software packages are not available in the software repositories. It can take few months for any release upgrade to appear in the repository. Unfortunately in the real world the latest releases never appear in the official repositories of RHEL/CentOS Linux.
In my opinion it is extremely risky to install the packages that were pre-configured by someone else because such packages can contain back-doors or malware.
It can be extremely critical for some websites to have the latest OpenSSL support.
The aim of this article is to describe how to compile and enable the support of the latest
OpenSSL for your server.
OpenSSL is being used by many linux packages, this is why it can be installed syste-wide. The daemons will produce errors trying to work with the
opennsl libraries with unknown versions. This can lead into complete server crash.
At this point the best option is to locate latest
openssl in the ustom folder and enable it for the daemons manually.
It is 14th of May today and the latest OpenSSL versions available are the following:
- OpenSSL 1.1.0a (new branch)
- OpenSSL 1.0.1u (for 1.0.1 branch)
- OpenSSL 1.0.2i (for 1.0.2 branch)
Let's roll: Install required software:
Download one of the following source packages:
wget -O /usr/local/src/openssl-1.0.1t.tar.gz https://www.openssl.org/source/openssl-1.0.1h.tar.gz
Uncompress it and change into the resulting folder:
I am going to locate the entire openssl in the following folder this is why I am using it as a prefix:
After this you can specify the
/opt/openssl folder as a path to openssl during the compilation to enable it for other software (ex. php, apache, nginx).
The following page can help to build the mod-ssl for Apache: